DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Recent NYS audits of K-12 school districts’ infosecurity

Posted on July 27, 2023 by Dissent

A toot by Doug Levin yesterday reminded me that I haven’t posted NYS Comptroller audits of school districts in a while.  So here are three to get caught up:

Jericho Union Free School District – Acceptable Use Policy (2022M-194)

Issued Date: July 21, 2023

Audit Objective

Determine whether Jericho Union Free School District (District) officials helped safeguard personal, private and sensitive information (PPSI) by developing controls and communicating an acceptable use policy (AUP) to business office staff.

Key Findings

District officials did not help safeguard PPSI by developing and communicating a comprehensive AUP to business office staff. As a result, PPSI related to District employees and finances could be exposed because some websites may be malicious or contain code to compromise a user’s computer or prompt the user to perform activities that may result in malware infection or PPSI exposure. In addition to sensitive information technology (IT) weaknesses that were communicated confidentially to officials, we found:

  • All nine business office employees, including the Assistant Superintendent for Business Affairs (ASB), were not aware that they were expected to follow the Computer Network and Internet Student Acceptable Use policy or what the District considers to be appropriate and inappropriate Internet use.
  • District officials did not periodically review web histories to determine whether any employee’s web browsing was inappropriate.

Key Recommendations

  • Ensure the AUP is updated, or administrative regulations are developed, to provide guidance for business office staff that defines acceptable Internet use and browsing.
  • Ensure business office staff who utilize computers are adequately informed of the regulations.

District officials disagreed with certain aspects of our findings and recommendations. Appendix B includes our comments on issues raised in the District’s response letter.

Read the full report (pdf)

West Hempstead Union Free School District – Nonstudent Network User Account Controls (2023M-9)

Issued Date: July 14, 2023

Audit Objective

Determine whether West Hempstead Union Free School District (District) officials established adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss.

Key Findings

District officials did not establish adequate controls over nonstudent network user accounts to help prevent unauthorized use, access and loss. In addition to sensitive information technology (IT) control weaknesses that were communicated confidentially to officials, we found that the Board of Education (Board) and District officials did not:

  • Develop and adopt policies and procedures addressing key network user access controls, such as user account management, password security and user account controls.
  • Disable 60 of the District’s enabled nonstudent network accounts (11 percent) that were not needed. Twenty-two of these accounts (37 percent) have not been used in more than five years, with the oldest being last used more than 10 years ago. These accounts include:
    • 53 former employee network accounts, and
    • 7 network service accounts used for hardware devices and email aliases.

Key Recommendations

  • Adopt comprehensive network user account policies and procedures addressing securing user accounts with passwords and adding, disabling and changing user access.
  • Periodically review user access for all nonstudent network user accounts and disable user accounts when access is no longer needed.

District officials disagreed with certain aspects of our findings and recommendations, but indicated they have initiated or plan to initiate corrective action. Appendix B includes our comments on issues raised in the District’s response letter.

Read the full report (pdf).

Sewanhaka Central High School District – Business Office Information Technology Systems (2023M-12)

Issued Date: June 30, 2023

Audit Objective

Determine whether Sewanhaka Central High School District (District) officials developed an information technology (IT) contingency plan to help secure and protect business office IT systems in the event of a disruption or disaster.

Key Findings

District officials did not develop an IT contingency plan to help them adequately secure and protect business office IT systems in the event of a disruption or disaster.

Without a comprehensive written IT contingency plan in place that is properly distributed to all business office staff and periodically tested for efficacy, District officials have less assurance that employees and other responsible parties will react quickly and effectively to maintain business continuity. As a result, important financial and other business office data could be lost or suffer a disruption to operations.

Additional sensitive IT control weaknesses were communicated confidentially to District officials.

Key Recommendations

  • Develop, adopt and test a written IT contingency plan and communicate it to appropriate officials and employees.

District officials agreed with our findings and have initiated or plan to initiate corrective action.

Read the full report (pdf).

Category: Commentaries and AnalysesEducation Sector

Post navigation

← Leaking Someone’s Personal Data Will Cost You Up to $2 Million in Pakistan
CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Almost one year later, U.S. Dermatology Partners is still not being very transparent about their 2024 breach
  • Oklahoma Expands its Security Breach Notification Law
  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.